Hello Splunkers.
I have following sample data with more then 1000 ids .. so what im looking is when radio status down i want include near radio id information also in my alert search
radioid=101 radiostatus=down region=Europe
radioid=102 radiostatus=up region=Europe
radioid=103 radiostatus=down region=Europe
radioid=104 radiostatus=down region=America
For example if radioid 103 was down then i need status of radio id 102 as well 104 status like near range radio id status info also i want to add in search .
@Splunk_rocks can you try with the following streamstats commands to get previous and next values for radioid
and radiostatus
?
| streamstats last(radioid) as prevId last(radiostatus) as prevStatus current=f window=1
| reverse
| streamstats first(radioid) as nextId first(radiostatus) as nextStatus current=f window=1
| reverse
Then you can apply the logic as per your need. Following is the logic I have applied based on information provided, but adjust as per your actual requirement:
| eval finalRadioStatus=case(radiostatus="down" AND nextStatus="down" AND nextId=radioid+1,"down",
radiostatus="down" AND prevStatus="down" AND prevId=radioid-1,"down",
true(),"up")
Following is run anywhere search which generates the data and shows how logic is applied
| makeresults
| eval data="radioid=101 radiostatus=down region=Europe;radioid=102 radiostatus=up region=Europe;radioid=103 radiostatus=down region=Europe;radioid=104 radiostatus=down region=America"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| KV
| streamstats last(radioid) as prevId last(radiostatus) as prevStatus current=f window=1
| reverse
| streamstats first(radioid) as nextId first(radiostatus) as nextStatus current=f window=1
| reverse
| eval finalRadioStatus=case(radiostatus="down" AND nextStatus="down" AND nextId=radioid+1,"down",
radiostatus="down" AND prevStatus="down" AND prevId=radioid-1,"down",
true(),"up")
Thanks for your inputs much appreciated,
I will check but how i can get the status to be in search for radioid and status info.
Like this
radioid status region nearbyid status nearbyid status
103 down atl 102 up 101 up
You should be able to easily manipulate to get only the required fields from the above run anywhere example which you can plug in to your original query. Also seems like you do not need eval for finalRadioStaus as you are just displaying the current id and nearbyid and status.
are the 100 events / ids are always at the same time? meaning with the same timestamp?
Its not same time stamp.. all are different events..just treat them like normal hosts sending ..
all i need to do see check the neighboring id --id+1 (1 higher number) and id -1(1 lower number) status also need to add to my search...